Yaguchi International Law Firm PLLC

Technology and Intellectual Property Law

by

Efforts To Amend The Electronic Communications Privacy Act

What Is The Electronic Communications Privacy Act (“ECPA”)?

The ECPA of 1986 protects a variety of electronic communications and records. Title I protects electronic, wire and oral communications in transit. Title II, the Stored Communications Act (18 U.S.C. §§ 2701-12) (“SCA”) protects stored electronic communications. Title III prohibits the use of trap and trace devices and pen registers, which essentially compile a record of dialed telephone numbers and routing.

Titles I and II both restrict the ability of law enforcement and governmental agencies to acquire communications protected by the ECPA. Title I requires a court authorized search warrant upon a showing of probable cause that the communications sought contain evidence that a crime was committed. Title II of the SCA only requires a similar judicial warrant for stored communications 180 days or less. In the case of stored communications older than 180 days, law enforcement or a governmental agency only need issue an administrative subpoena. That administrative subpoena is essentially a letter from the agency to the holder of the stored communications, such as an Internet Services Provider (“ISP”), that the communications are relevant to an investigation and forces the holder to divulge the stored communications.

This is significant because the standard required for law enforcement or regulatory agency to obtain e-mails or data files older than 180 days differs not only in the age of the communication, but also where the communication is stored. For example, if the communication is stored on a computer hard drive in one’s home or business, law enforcement is required to obtain a search warrant to obtain the data regardless of age. In the case of communications stored with a third party, the standard of proof (i.e., court approved warrant v. agency subpoena) depends upon the amount of time the communication has been stored, with the dividing line being 180 days.

Changes In The Use Of Data Storage

Congress originally passed the SCA and the ECPA in 1986 with a few amendments since then. In the intervening 26 years, data usage drastically changed. Previously, storage, both online and offline was at a premium. In the past, e-mail was predominately downloaded from ISPs to e-mail clients and stored locally on a user’s computer. Alternately, users deleted older e-mails stored on third party servers. Users predominately stored all data and communications locally on their hard drives. Businesses typically stored their communications on their own servers.

The landscape of communication and data storage today has turned to third party “cloud” services. For individuals, Web based e-mail providers such as Gmail, Yahoo and e-mail provided by ISPs with generous storage encourages individuals to keep e-mail and even voice mails in the case of Google Voice on third party servers indefinitely instead of deleting communications or downloading them to local client hard drives. Even businesses have migrated to “cloud services” including hosted e-mail servers and cloud-based backup.

Increases In The Use Of Administrative Subpoenas

At least anecdotally, the amount of agency subpoena requests has dramatically increased. For example, in Google’s Transparency Report (http://www.google.com/transparencyreport/removals/government/), notes in the first half of 2012 it had 1,791 subpoena requests. In the first half of 2011 Google reported 949 such requests.

Recent Efforts To Require Court Issued Warrants For Stored Communications

The good news is that there is movement in the U.S. Senate to amend the ECPA to protect communications older than 180 days older. Legislation introduced by Senator Patrick Leahy recently passed a Senate panel against objections by law enforcement that it would hinder investigations. If passed, the proposed law would require law enforcement and regulatory agencies to obtain a court issued search warrant for all stored communications, regardless of the age. Of course, it is early in the legislative process. Stay tuned.

by

Law Firm Uses Computer Fraud & Abuse Act (“CFAA”)

Previously, I discussed the Computer Fraud and Abuse Act (“CFAA”).  As reported in the Legal Intelligencer, a law firm recently utilized CFAA against one of its former partners and associates who abruptly departed and allegedly used the “Dropbox” software to continue accessing the plaintiff law firm’s computer systems for the benefit of the law firm departing defendants joined.  As reported in the Legal Intelligencer, Elliott Greenleaf & Siedzikowski sued former partner Harrisburg office managing shareholder, two former associates, and others for not only barring plaintiff’s access to files located in the former attorneys’ locked offices, but for also for accessing, modifying, and deleting those files, in violation of the CFAA.  In its complaint filed in the U.S. District Court for the Eastern District of Pennsylvania, plaintiff estimated that defendants deleted approximately five percent of plaintiff’s backup tapes and misappropriated approximately 78,000 proprietary files.  While this case is illustrative of ownership of trade secrets, it also demonstrates how CFAA can be applied to matters involving computers and former business associates and employees.

by

The Computer Fraud and Abuse Act (“CFAA”): It’s Not Just For Hackers

Board RoomIn 1984 Congress enacted the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, to protect against hacking into U.S. government and financial institution computers.  With the expansion of computer use, the explosion of the Internet and the adaption of crime to these expanding technologies, Congress broadened the CFFA to include almost any computer.  Moreover, a 1994 amendment added a civil cause of action to the criminal statute.

The CFAA prohibits seven acts briefly summarized as:

  1. trespassing a computer to commit espionage;
  2. trespassing a computer and obtaining specified financial, credit, governmental or commercial information;
  3. trespassing a government computer;
  4. trespassing a computer to commit fraud;
  5. damaging a computer;
  6. trafficking in computer passwords; and
  7. threatening to damage a computer.

The CFAA contains several definitions that apply the statute broadly.  For example, the CFAA applies to “protected computers.”  This includes computers owned by the U.S. government, financial institutions and those “used in or affecting interstate or foreign commerce or communication.”  Thus, the CFAA applies to virtually all computers.

As abbreviated above, trespassing includes accessing a computer “without authorization” or “exceeding authorized access.”  A Computer Fraud and Abuse Act violator could have authorized computer access such as a log-in ID and password, but later access data that was not within that user’s authorized scope.  By way of example, a bank employee may have authorization to access and modify data in the ordinary course of business, but if the bank employee violates computer use policies by viewing an acquaintance’s account records with no business need to do so, the CFAA is violated by exceeding authorized access.

Federal courts have creatively interpreted the terms “without authorization” and “exceeding authorized access.”  In Shureguard Storage Centers, Inc. v. Safeguard Self Storage, Inc., 119 F. Supp. 2d 1121 (W.D. Wash. 2000), a federal court in Seattle held that a former employee lost “authorized access” when he became an agent of a competitor by e-mailing the competitor trade secrets and proprietary information belonging to the former employer while still employed there.  The court did not rely on a non-disclosure agreement, but rather on an agency common law principle where the employee’s authority terminates when the employee “acquires adverse interests or if he is otherwise guilty of a serious breach of loyalty” to the employer.  While some courts have disagreed with this ruling, see, e.g., Shamrock Foods Co. v. Gast, 535 F. Supp. 2d 962 (D. Ariz. 2008) others have followed this line of reasoning.

In another case involving a former employee who used confidential information obtained from the former employer to benefit a new competitor, the court focused on the use of “Confidential or Proprietary Information” and the existence of a confidentiality agreement.  EF Cultural Travel BV. v. Explorica, Inc., 274 F.3d 577 (1st Cir. 2001).  There, plaintiff was in the business of providing global tours for high school students.  Former executive had confidential information of tour codes and data structure of proprietary information of former employer and was bound by a confidentiality agreement (“NDA”).  The former executive assisted competitor’s Internet consultant in designing a “scraper” program to extract pricing information from former employer’s Web site.  The competitor then used this data to undercut former employer’s prices.  The First Circuit Court of Appeals did not reach the question of whether the competitor was authorized to navigate plaintiff’s Web site to obtain competitive data.  Rather, the court held that defendant former executive exceeded that authorization “by providing proprietary information and know-how” to the Internet consultant to create the scraper program for the competitor.

The CFAA has also been invoked by Web site operators where the user had violated the Web site’s Terms of Service (“TOS”).  America Online, Inc. v. LCGM, Inc., 46 F. Supp. 2d 444 (E. D. Virginia 1998), involved an AOL member who harvested AOL members e-mail addresses for sending unsolicited bulk e-mails (“spam”) via AOL’s network in breach of AOL’s Unsolicited Bulk E-Mail Policy and its TOS.  While the case involved other serious issues such as trademark violations for “spoofing” the spam e-mail messages as being from the “aol.com” domain, the trial court held that the TOS violations rendered defendants’ access as unauthorized and in violation of the CFAA for computer trespassing and gaining commercial information.

While the AOL case involved a member TOS agreement, Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435 (N.D. Texas 2004), involved Southwest Airline’s Web site’s TOS and directly warning defendants about prohibited activities on its Web site.  Defendant software company created and licensed software that could “scrape” Southwest’s Web site to obtain data by “sending out a robot, spider, or other automated scraping device across the Internet.”  Another defendant licensed the software to use in a product for corporate travelers to search airline fare information.  Southwest sued under various theories, including violation of the CFAA.  Defendants argued that Southwest’s Use Agreement (“TOS”) was an unenforceable contract.  The court reserved that fact question as inappropriate in a motion to dismiss.  Rather, the court relied on Southwest’s direct communication to one of the defendants that Southwest prohibited the use of “any deep-link, page-scrape, robot, spider or other automatic device, program, algorithm or methodology which does the same things.”  Thus, Southwest directly informed one defendant that its access was authorized, giving the court grounds to deny defendants’ motion to dismiss this claim.

While the CFAA is a criminal statute, there is a private right of action.  Generally, the prospective plaintiff needs to prove damage to the computer, or “loss” exceeding $5,000.  Losses are defined as “any reasonable costs to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense, and any revenue lost, cost incurred, or consequential damages incurred because of interruption of service.”  Proving the statutory minimum loss to institute a civil lawsuit for injunctive and/or monetary damages can be easily met with costs of investigation and plugging security holes.  The fair value of in-house IT staff has been allowed in the calculation of “loss.”

The CFAA will likely be increasingly used in employment, trade secret and unfair competition cases.  The key takeaways with respect to the CFAA include:

  • Maintain network security;
  • For employees and other “insiders,” require non-disclosure agreements (“NDAs”) and provide clear limits on data access, modification and deletion through a comprehensive IT or computer use policy; and
  • For Web sites, provide clear Terms of Use (“TOS”) and monitor traffic to determine whether there may be a violation of TOS and serve cease and desist letters on identifiable violators.

by

Web Site Terms of Service (“TOS”): A Contract with Web Users?

MeetingWeb Site Terms of Service (“TOS”): A Contract with Web Users? Many Web sites contain a link to a Terms of Service (“TOS”), Terms and Conditions of Use, or similarly titled Web page.  What are these? Essentially, these pages are the site owner’s contract or license agreement with users who simply browse or use the services offered by the site owner.  TOS are important to Web site owners for various reasons such as limiting stresses placed on the host network from unreasonable use, protecting intellectual property, and protecting against inappropriate use of the site. Indeed, Facebook, the popular social networking site that claims 175 million users, had a backlash from users when Facebook changed its terms of use to grant Facebook what protesters claimed was greater control over user content.  Facebook reverted to its former terms of use while it studies the situation.

Are a Web site’s Terms of Service enforceable?  As with most legal issues, the qualified answer is “it depends.”  Most sites’ TOS can be lumped into one of two types of agreements: “click wrap” and “browse wrap” agreements.  There are generally no negotiations on the Internet and a contract or license requires consent.  The type of consent – explicit or implicit – is the differentiator between click wrap and browser wrap agreements. A click wrap agreement requires users to click an “I Agree” button or manifest assent by checking a checkbox.  Click wrap agreements are used particularly by online social networking, membership and commercial online sellers, where the site owners usually also require additional personal information.  This agreement is typically a prerequisite to viewing the site or unlocking members-only content or functionality.  Of course, premium content paid sites and software as a service sites (“SaaS” and formerly referred to as an application service provider or “ASP”) also require electronic payment information and assent to payment terms. Unlike the click wrap agreement, a browse wrap agreement is used passively on a site and is either contained on the site’s homepage or on a Web page accessed via a link to a page containing the site’s TOS.  A user is deemed to consent to the TOS by using the site.  Thus, a browse wrap agreement does not require any clear user agreement with the TOS.  Courts interpreting browse wrap agreements have been mixed as to their validity.  As a general rule, the enforceability of the browse wrap TOS has turned on whether the user has actual or constructive notice that the TOS applies. All Web sites should have a Terms of Service page.  The TOS itself will vary depending on the site itself.  Short of requiring each user to agree to the TOS via an intrusive click wrap agreement, a site owner can increase the likelihood that users have constructive notice of the TOS.  For example, the Web site owner can make the TOS more prominent by using noticeable icons or hyperlink to the TOS with distinguishable font types, font size, capitalizations or emphasis.  Moreover, a header or footer containing language to the effect that use of the site is governed by the TOS would be more effective.

by

IT Digital Device Border Searches Cover More Than Just Laptop Contents

AirplaneIT Digital Device Border Searches Cover More Than Just Laptop Contents.  Those who travel frequently are used to TSA security searches that have become more extensive, time consuming and invasive.  International travelers have likewise faced increased scrutiny when returning to the United States by the U.S. Customs and Border Protection (CBP).  While many realize that enforcement of the customs mission involves inspection for contraband and collection of duties, anecdotal evidence indicates that there is an increased scrutiny to inspect for information that may be related to cybercrimes and the war on terror.  Information may also relate to violation of intellectual property laws, child pornography and other obscene materials, and for violations of national security and export control laws.  Information that once took volumes of books, photographs, CDs/DVDs, etc. can be stored in digital form and can be stored on a small USB flash drive, smart phone, an iPod, or a laptop.  Thus, these digital storage devices while light and portable have become targets of CBP inspecting officers.

Right to Search Digital Devices.  Legally, CBP inspecting officers have the authority to search digital devices incidental to a search at the border.  One exception to the U.S. Constitution’s Fourth Amendment prohibition against unreasonable searches and seizures relates to searches incident to border entries.  United States v. Montoya de Hernandez, 473 U.S. 531 (1985).  The Ninth Circuit Court of Appeals recently ruled that the CBP’s search of digital files does not require any level of suspicion or probable cause prior to the warrantless search.  United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008).  While the inspecting officer may have the authority and the international traveler may have nothing to hide, an inspection of digital devices can be more invasive than a search through one’s underwear.  The inspection may lead to delays and possible impounding of the digital devices for further forensic analysis.

Traveler Responses to Digital Device Search Possibility.  If the traveler wishes to minimize the invasiveness of digital device inspection or if the traveler believes that they may be a likely target due to nature of business, foreign countries visited or the result of perceived profiling (of which the author provides no opinion as to whether CPB uses profiling), there are some steps that the traveler can take to minimize the chances or extent of searches.  First, the traveler can carry no digital device that the traveler does not want inspected or potentially impounded, even if the digital device is later timely released.  Alternately, the traveler can securely delete or “wipe” any data contained on the digital devices to minimize effects of an inspection.

A second alternative is to use the power of “cloud computing” and work with all data through the Internet.  This method is easy given the widespread use of Web access for mail servers and online data storage solutions.  This also assumes that appropriate security procedures are in place such as VPN connections or use of SSL encryption protocols.

A third alternative is use whole or partial hard drive encryption on laptops used while traveling internationally.  This alternative is a no-brainer as any laptop containing proprietary business data, including personally identifiable information subject to data breach notification laws, should already be encrypted.  This begs the question of what should the traveler do if asked by a CBP official for the password.  Not having the data in the first place avoids this issue, but traveling without the data or applications may not be an option.  While travelers are expected and should cooperate with the inspection process, one trial court recently held that an inspected traveler had no duty to provide CBP with a password consistent with the Fifth Amendment of the U.S. Constitition’s privilege against self-incrimination. In re Boucher, 2007 WL 4246473 (Nov. 29, 2009).

While this post only discussed the issue of returning to the United States after international travel, the CBP can inspect an international traveler prior to departing the U.S. to foreign countries.  Likewise, this post did not discuss the issue of foreign customs searches where foreign laws may be less predictable and as protective.  Indeed, the option presented regarding data encryption may be unavailable in certain jurisdictions which also restrict or prohibit importation of strong encryption technology.  U.S. export control laws may also restrict the “exportation” of strong encryption technology.  Know before you fly.

by

Non-Disclosure Agreements and Their Importance

What Is Non-Disclosure Agreement?

A Non-Disclosure Agreement is a contract to protect information considered to be confidential or proprietary and disclosed in an employment relationship or in business transactions.  It is sometimes called “Confidentiality Agreement” or “NDA.”

Why Is A Non-Disclosure Agreement Necessary?

  •  To Protect Trade Secrets.  A Non-Disclosure Agreement is used to protect trade secrets.  A trade secret is any type of information that is not generally known by the public and from which actual or potential economic value can be derived.  The owner of a trade secret must use reasonable efforts to maintain secrecy.  By using Non-Disclosure Agreement, a trade secret owner can maintain the trade secret status, while preventing the recipient of the information from further disclosing the information to a third party and retaining control over use of that information. In many circumstances, a NDA can be specifically enforced judicially through injunctive relief.
  • To Create A Business Relationship.  A Non-Disclosure Agreement is also used in common business transactions where any confidential or proprietary information is shared.  For example, when companies expand their business or create a strategic alliance such as a joint venture, development agreement or outsource business processes, the strategic partner receiving the confidential information needs limits on use and further disclosure of the confidential information.  A Non-Disclosure Agreement allows the disclosing party to share its proprietary and confidential information with others without unduly jeopardizing the information.

 Non-Disclosure Agreement Considerations

  1. Definition of Confidential Information.  The definition of “Confidential Information” plays a very important part of a Non-Disclosure Agreement because it determines the scope of information disclosed and protected under the NDA.  The definition of confidential information needs to be specifically defined such as the forms of confidential information (e.g., tangible or intangible).  In most cases, the agreement includes the provision where orally disclosed information is protected if the disclosing party confirms the confidential nature of the disclosure in writing within a certain period of time.  Indeed, the form of confidential information is irrelevant to its status as a trade secret.  The Washington Supreme Court held that a memorized customer list did not lose its trade secret protected status merely because a former employee did not take the list in a tangible form.
  2. Non-Disclosure Agreement Types.  A Non-Disclosure Agreement is often categorized as either mutual or one-way, but it is also used among multiple companies such as for the purpose of a strategic alliance.
  3. No Use or Disclosure of Confidential Information.  Typically the disclosing party seeks to limit the recipient from disclosure to any third party or restrict use of the confidential information other than the purpose described in the NDA.  Indeed, a typical requirement is that the confidential information is allowed to be provided to the disclosing party’s employees on a need to know basis.  Generally, where confidential information is sought by a governmental body or requested by subpoena or other court order, the recipient must resist such request, notify the disclosing party and cooperate with the disclosing party in challenging the request.
  4. Limits on Confidential Information.  A Non-Disclosure Agreement generally puts some limits on the type of information such as information already in public domain, possessed by the recipient before being disclosed by the discloser or independently developed within the recipient’s organization.  Another purpose to limit confidential information is to make sure that the Non-Disclosure Agreement is not extended too much and to comply with the Uniform Trade Secret Act.
  5. Term of Non-Disclosure Agreement.  A Non-Disclosure Agreement is usually meant for a specific purpose and should be documented for each purpose.  Generally, the protection of confidential information remains even after the relationship of the parties ceases, so long as the confidential information remains a secret.